From ce0111fe4f1c5ea09a23c2be43fc1fcc1cdbdac8 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 24 Aug 2009 15:17:37 +0200 Subject: some UPN handling fixes - making the realm part upper case is now optional and done in the LDAP backend - using a username@realm UPN is now optional --- server/man/sssd-krb5.5.xml | 14 ++++++++++++++ server/man/sssd-ldap.5.xml | 16 ++++++++++++++++ server/providers/krb5/krb5_auth.c | 34 +++++++++++----------------------- server/providers/krb5/krb5_auth.h | 1 + server/providers/ldap/sdap.c | 8 +++++++- server/providers/ldap/sdap.h | 4 +++- server/providers/ldap/sdap_async.c | 30 +++++++++++++++++++++++++++--- 7 files changed, 79 insertions(+), 28 deletions(-) diff --git a/server/man/sssd-krb5.5.xml b/server/man/sssd-krb5.5.xml index d2b631ab4..3a22afcdb 100644 --- a/server/man/sssd-krb5.5.xml +++ b/server/man/sssd-krb5.5.xml @@ -62,6 +62,20 @@ + + + krb5try_simple_upn (boolean) + + + Set this option to 'true' + if an User Principle Name (UPN) cannot be found in sysdb + and you want to use an UPN like 'username@realm'. + + + Default: false + + + diff --git a/server/man/sssd-ldap.5.xml b/server/man/sssd-ldap.5.xml index 948b3e294..aa33c713c 100644 --- a/server/man/sssd-ldap.5.xml +++ b/server/man/sssd-ldap.5.xml @@ -218,6 +218,22 @@ + + force_upper_case_realm (boolean) + + + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN lower case + which may cause the authentication to fail. Set this + option to a non-zero value, if you want to use an + upper case realm. + + + Default: false + + + + userFullname (string) diff --git a/server/providers/krb5/krb5_auth.c b/server/providers/krb5/krb5_auth.c index 45bbe4cbc..39bc17066 100644 --- a/server/providers/krb5/krb5_auth.c +++ b/server/providers/krb5/krb5_auth.c @@ -31,7 +31,6 @@ #include #include #include -#include #include @@ -41,25 +40,6 @@ #include "krb5_plugin/sssd_krb5_locator_plugin.h" #include "providers/krb5/krb5_auth.h" -#define REALM_SEPARATOR '@' - -static void make_realm_upper_case(const char *upn) -{ - char *c; - - c = strchr(upn, REALM_SEPARATOR); - if (c == NULL) { - DEBUG(9, ("No realm delimiter found in upn [%s].\n", upn)); - return; - } - - while(*(++c) != '\0') { - c[0] = toupper(*c); - } - - return; -} - static void fd_nonblocking(int fd) { int flags; @@ -452,11 +432,15 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res) case 1: upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); - if (upn == NULL) { + if (upn == NULL && krb5_ctx->try_simple_upn) { /* NOTE: this is a hack, works only in some environments */ if (krb5_ctx->realm != NULL) { upn = talloc_asprintf(be_req, "%s@%s", pd->user, krb5_ctx->realm); + if (upn == NULL) { + DEBUG(1, ("failed to build simple upn.\n")); + } + DEBUG(9, ("Using simple UPN [%s].\n", upn)); } } break; @@ -472,8 +456,6 @@ static void get_user_upn_done(void *pvt, int err, struct ldb_result *res) goto failed; } - make_realm_upper_case(upn); - ret = krb5_setup(be_req, upn, &kr); if (ret != EOK) { DEBUG(1, ("krb5_setup failed.\n")); @@ -612,6 +594,7 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops, { struct krb5_ctx *ctx = NULL; char *value = NULL; + bool bool_value; int ret; struct tevent_signal *sige; @@ -651,6 +634,11 @@ int sssm_krb5_auth_init(struct be_ctx *bectx, struct bet_ops **ops, } ctx->realm = value; + ret = confdb_get_bool(bectx->cdb, ctx, bectx->conf_path, + "krb5try_simple_upn", false, &bool_value); + if (ret != EOK) goto fail; + ctx->try_simple_upn = bool_value; + /* TODO: set options */ sige = tevent_add_signal(bectx->ev, ctx, SIGCHLD, SA_SIGINFO, diff --git a/server/providers/krb5/krb5_auth.h b/server/providers/krb5/krb5_auth.h index d1c5c7c81..540f65fa0 100644 --- a/server/providers/krb5/krb5_auth.h +++ b/server/providers/krb5/krb5_auth.h @@ -61,6 +61,7 @@ struct krb5_ctx { char *kdcip; char *realm; + bool try_simple_upn; }; struct krb5_req { diff --git a/server/providers/ldap/sdap.c b/server/providers/ldap/sdap.c index 0b16db438..312a36745 100644 --- a/server/providers/ldap/sdap.c +++ b/server/providers/ldap/sdap.c @@ -40,7 +40,8 @@ struct sdap_gen_opts default_basic_opts[] = { { "groupSearchScope", "sub", NULL }, { "groupSearchFilter", NULL, NULL }, { "ldapSchema", "rfc2307", NULL }, - { "offline_timeout", "5", NULL } + { "offline_timeout", "5", NULL }, + { "force_upper_case_realm", "0", NULL } }; struct sdap_id_map default_user_map[] = { @@ -137,6 +138,11 @@ int sdap_get_options(TALLOC_CTX *memctx, &opts->offline_timeout); if (ret != EOK) goto done; + ret = confdb_get_bool(cdb, opts, conf_path, + "force_upper_case_realm", false, + &opts->force_upper_case_realm); + if (ret != EOK) goto done; + /* schema type */ if (strcasecmp(opts->basic[SDAP_SCHEMA].value, "rfc2307") == 0) { opts->schema_type = SDAP_SCHEMA_RFC2307; diff --git a/server/providers/ldap/sdap.h b/server/providers/ldap/sdap.h index 5afbcfc05..50fc3d109 100644 --- a/server/providers/ldap/sdap.h +++ b/server/providers/ldap/sdap.h @@ -84,8 +84,9 @@ enum sdap_result { #define SDAP_GROUP_SEARCH_FILTER 12 #define SDAP_SCHEMA 13 #define SDAP_OFFLINE_TIMEOUT 14 +#define SDAP_FORCE_UPPER_CASE_REALM 15 -#define SDAP_OPTS_BASIC 15 /* opts counter */ +#define SDAP_OPTS_BASIC 16 /* opts counter */ /* the objectclass must be the first attribute. * Functions depend on this */ @@ -139,6 +140,7 @@ struct sdap_options { int network_timeout; int opt_timeout; int offline_timeout; + bool force_upper_case_realm; /* supported schema types */ enum schema_type { diff --git a/server/providers/ldap/sdap_async.c b/server/providers/ldap/sdap_async.c index 7c6cd2c2a..855591782 100644 --- a/server/providers/ldap/sdap_async.c +++ b/server/providers/ldap/sdap_async.c @@ -18,11 +18,31 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . */ +#include #include "db/sysdb.h" #include "providers/ldap/sdap_async.h" #include "util/util.h" +#define REALM_SEPARATOR '@' + +static void make_realm_upper_case(const char *upn) +{ + char *c; + + c = strchr(upn, REALM_SEPARATOR); + if (c == NULL) { + DEBUG(9, ("No realm delimiter found in upn [%s].\n", upn)); + return; + } + + while(*(++c) != '\0') { + c[0] = toupper(*c); + } + + return; +} + /* ==LDAP-Memory-Handling================================================= */ static int lmsg_destructor(void *mem) @@ -841,6 +861,7 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, uid_t uid; gid_t gid; struct sysdb_attrs *user_attrs; + char *upn = NULL; req = tevent_req_create(memctx, &state, struct sdap_save_user_state); if (!req) return NULL; @@ -952,10 +973,13 @@ static struct tevent_req *sdap_save_user_send(TALLOC_CTX *memctx, if (el->num_values == 0) { DEBUG(7, ("User principle is not available for user [%s].\n", name)); } else { + upn = talloc_strdup(user_attrs, (const char*) el->values[0].data); + if (opts->force_upper_case_realm) { + make_realm_upper_case(upn); + } DEBUG(7, ("Adding user principle [%s] to attributes of user [%s].\n", - el->values[0].data, name)); - ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, - (const char *) el->values[0].data); + upn, name)); + ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn); if (ret) { goto fail; } -- cgit